Will Blockchain Improve Financial Cybersecurity?

Blockchain is a technology that can keep records of transactions secure. One of the most common and well known blockchain implementations is the transactional backbone of Bitcoin and a number of other cryptocurrencies. Now, both tech and financial services companies such as IBM, Deutsche Bank, HSBC, CIBC, Barclays, Intel, Wells Fargo, and Bank of America Merril Lynch are counting on blockchain technology to help secure the financial sector.

But what exactly is Blockchain, and will it do society any good?

What is Blockchain?

Blockchain is a type of distributed ledger technology. It’s composed of “blocks” which are “chained” together by cryptographic hashing. With financial transactions, or other sorts of data which can be logged occur through a particular blockchain system, new blocks are added to the ledger and connected to all of the other blocks through the hashing function. When an entity has the right keys, they can refer to transactions in the chain. The data in the chain should be ciphertext – text encrypted by strong algorithms – so when used properly, the data shouldn’t be accessible to unauthorized parties. Blockchain is designed to protect both the confidentiality and integrity concepts of the CIA triad.

There are two major types of blockchains: public blockchains and permissioned blockchains.

Public blockchains are implemented by Bitcoin (BTC), Ethereum (ETH), and a number of other technologies. Usually anyone with the right software can add blocks to the ledger, validate transactions, and view the ledger. When Bitcoin works properly, a Bitcoin user can make payments or receive money in the cryptocurrency, add those transactions to the blockchain, and the software can validate that data.

Permissioned blockchains are stricter in some ways than public blockchains. Only a limited number of parties are granted access to a permissioned blockchain. The authentication standards for the specific authorized parties are usually rigorous, and there usually must be a record of an individual’s legal name or “true” identity. For example, if I was an authorized party to a permissioned blockchain, they’d have to know that my full legal name is Kimberly Faye Crawley, I couldn’t simply go by “Crowgirl.” They may also want other details about me, such as my home or business street address. Permissioned blockchain implementations can integrate more traditional cybersecurity measures such as access control lists.

Both public and permissioned blockchains have their respective strengths and weaknesses. The financial services industry is generally more interested in permissioned blockchains.

How is the Financial Services Industry Incorporating Blockchain?

A number of big names in the financial sector are working on implementing blockchain technology with the goal of improving their overall cybersecurity.

Full details about Utility Settlement Coin (USC) were publicly announced on August 30, 2017. USC is a collaborative effort between HSBC, CIBC, MUFG, Deutsche Bank, Credit Suisse, UBS, State Street, Barclays, NEX, BNY Mellon, and Santander. Blockchain startup Clearmatics is working on the technical development. USC will be a new digital currency standard.

UBS head of strategic development and fintech innovation Hyder Jaffrey discussed USC in June 2017.

“We think a distributed ledger can help banks better manage risk and increase capital efficiency,” Jaffrey explains. “By moving post-trade processes onto a distributed ledger, banks can reduce settlement risk, counterparty risk and market risk. But in order to do that, the cash that is at the root of everything banks do has to be represented on the ledger. USC is a way of representing cash on a ledger.”

He goes on to add:

“We don’t see USC as a cryptocurrency, we see it as ‘cryptocash.’ It isn’t a new currency, it’s a way to represent existing currencies like dollars or pounds or euros on a distributed ledger. If a client presents £100 they will be issued the corresponding value in sterling USC and the value would always remain £100. It means the cash is on the ledger and will always be backed by real cash held at the central bank – in much the same way cash is technically a promissory note that used to be backed by physical gold.

It helps to think of the world of digital currencies as a spectrum. At one end of it you have bitcoin, which is unregulated and operates outside of government control. At the other end you have central bank digital currencies – digital versions of existing currencies. USC is positioned right in the middle, with some of the benefits of Bitcoin, such as the real-time transfer of value, while taking on some characteristics of ‘real money’ issued by central banks. It is pegged to those fiat currencies and will always have the same value.”

So, USC wouldn’t be a cryptocurrency like Bitcoin or Litecoin (LTC). It’ll be a digital currency standard that fiat currencies can be transacted through. The banks participating in USC can then implement the ‘cryptocash’ technology to conduct the kind of financial transactions they’ve been doing for years.

Interestingly enough, HSBC, Unicredit, KBC, Natixis, Societe Generale, Deutsche Bank, and Rabobank support IBM’s Hyperledger Fabric project. That means HSBC and Deutsche Bank are interested in both USC and the Hyperledger Fabric project.

This is an exciting development for many reasons. IBM’s Hyperledger Fabric project is a trade finance platform which will go through IBM Cloud. The technology is designed to be highly scalable, which could make it easy for many other financial institutions around the world to use the platform. It’s an open source framework, so many other developers may be able to improve Hyperledger Fabric’s security and functionality as time goes on.

Loyyal is a universal loyalty and rewards platform, built with blockchain and smart contact technology. Loyyal’s Chief Architect Shannon Code is one of many developers who have been working with Hyperledger Fabric. He’s optimistic about the technology’s potential.

“The Hyperledger Project is an obvious first step at global adoption and standardization,” he notes. “Blockchain and distributed ledger technology can’t get the attention it deserves without sharing and discovering the technology’s strengths and weaknesses. Loyyal joined the Hyperledger Project early because we understand this need for coopetition. Fabric has done a fantastic job combining distributed ledger technology in a way that can be used to meet the needs of businesses. The focus on security and privacy combined with modularity means that some of the hard questions that get asked now have answers.”

R3 is a blockchain consortium which is supported by Wells Fargo, ING, Bank of America Merrill Lynch, Temasek, and SBI Group. Tech giant Intel is also involved. R3 is also a contributor to the Hyperledger Fabric project.

Corda is R3’s open source financial platform. R3 CEO David Rutter says they’re developing an “operating system for finance.” Corda will be a blockchain-based platform which banks can use to develop apps. Clearly, Rutter believes that Corda is the most promising blockchain implementation for the financial services industry. He notes:

“Corda is a completely open system that is going to empower entrepreneurs to be able to build Corda apps, roll them out, and actually have them be adopted because they will work with the current financial rails, in a way that is cognizant of and compliant with the regulatory regime. Corda and R3 has just been legitimised by not just a $107 million investment, but we’re now majority owned by the world’s largest financial institutions. There’s no safer bet in the world.”

Opportunities and Risks for Blockchain and Finsec

Proper blockchain implementation could do wonders to improve finsec (financial security), and also to improve the functionality and efficiency of banks’ digital backends. But like anything else, there are also risks involved. And absolutely nothing is 100% secure.

Microsoft just released a report on blockchain’s potential for financial cybersecurity, Advancing Blockchain Cybersecurity: Technical and Policy Considerations for the Financial Services Industry (PDF). Microsoft sees a lot of potential in how aspects of permissioned blockchain technology can improve the cybersecurity of the financial services industry. The distributed architecture of permissioned blockchains can improve resiliency against cyberattacks.

According to the new Microsoft report:

“The distributed architecture of a permissioned blockchain is an advantage that can deter or minimize the effect of cyber attacks. Threat actors generally prefer to target a centralized database that, once compromised, would infect and destabilize the system as a whole. A distributed network structure, however, provides inherent operational resilience because there is no single point of failure. With the risk of compromise dispersed among various nodes, an attack on one or a small number of participants would not result in the loss or compromise of the ledger stored on computer nodes not subject to attack. This distributed architecture, for example, makes permissioned blockchains less appealing targets for ransomware attacks since a ledger securely stored in multiple nodes is less susceptible to lock down by a hacker than centrally stored information.”

The transparent nature of permissioned blockchains is another advantage. Microsoft elaborates:

“Transparency in permissioned blockchain networks provides another degree of cybersecurity protection. For example, the transparency of a permissioned blockchain among participants makes it more challenging for hackers to place malware in the network to collect information and to transmit it covertly to another database managed by the hacker. Because each participant has an identical copy of the ledger, the network creates the opportunity for deploying enhanced compliance processes including, among other things, real-time auditing or monitoring by other participants or by regulators granted limited access to the network. As a result, vulnerabilities and threats may be identified quickly if good risk management and compliance controls are implemented.”

Of course, the implementation of encryption is a key security feature of permissioned blockchains.

“Permissioned blockchain networks employ multiple forms of encryption at different points, providing multilayered protections against cybersecurity threats... Strong key management preserves the integrity of the public and private key encryption mechanism, and helps fortify the ledger and the network against cyber attacks.”

But permissioned blockchain systems can be quite vulnerable if not implemented with care. Here are some of the risks which Microsoft identifies. Any cryptographic system is only as good as its key management:

“Perhaps the single most important risk to blockchain security is key management. Maintaining the confidentiality, integrity, and availability of private keys requires thoughtful and robust cybersecurity controls. Some individuals reportedly have lost or misplaced their private keys, resulting in the loss of assets stored on a blockchain because private keys, by design, are not recoverable. To minimize individual mistakes, service providers, including digital wallet providers and CSPs (communications service providers), have emerged to provide key management services, which has become a critical feature of all types of blockchains. To date, the majority of cyber attacks related to blockchains have not attacked the blockchains themselves, but have targeted providers of key management services in attempts to steal private keys.”

There are, however, software vulnerabilities in everything. Permissioned blockchain implementation can only be reasonably effective if care is taken to develop secure code.

“As with any computer IT system, human coding errors can introduce cybersecurity risk into blockchains. Permissioned blockchains are built on software code, as are numerous off-chain applications that interface with such blockchains. No software is 100% free from defects, and any defect has the potential to be exploited to compromise a cybersecurity program. For example, hackers in 2016 exploited a coding defect in the source code of a virtual company, known as the Distributed Autonomous Organization (DAO), which resulted in the theft of $55 million.”

Attack vectors are always evolving. Permissioned blockchain systems can only maintain adequate security if the entities which implement them keep on their toes. Security is a process, not a product!

“It is reasonable to expect new strategies and threats to emerge to exploit unforeseen vulnerabilities in blockchains. One longer-term risk that is gaining attention among observers is the possibility of quantum computing-based attacks that leverage enhanced computational power to weaken or compromise existing cryptographic algorithms used in existing IT systems and in blockchains. As a general matter, all participants in blockchain systems need continuing education to anticipate and protect against threats from new attack vectors, and to adapt and upgrade security protocols as necessary to ensure the success and viability of the network.”

Is Blockchain the Future of Finsec?

The implementation of permissioned blockchain systems in financial security looks really promising. Perhaps sooner rather than later, my own checking account transactions will involve Canadian Dollars, American Dollars, and British Pounds going through USC. I may at some point use an app that my bank developed with Corda. It’s also quite likely that my transactions will go through Hyperledger Fabric, and I won’t even be able to tell as a mere consumer.

If all of these technologies are developed and implemented properly, my money and financial activities may be more secure from cyberattacks. And I’m just a private individual, not a business.

But there’s an awful lot of hype about blockchain in general. It’s vital that the financial services industry understands that permissioned blockchain systems aren’t a panacea against all cyberattacks, and they’ll only be effectively secure if they’re implemented and maintained with tremendous vigilance.